Detections
Analytics

DISA STIG Splunk Enterprise 8.x for Linux v1r5 STIG REST API

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Splunk Enterprise 8.x for Linux v1r5 STIG REST API

Updated: 8/28/2024

Authority: DISA STIG

Plugin: Splunk

Revision: 1.2

Estimated Item Count: 23

Audit Items

DescriptionCategories
DISA_STIG_Splunk_Enterprise_8.x_for_Linux_REST_API_v1r5.audit from DISA Splunk Enterprise 8.x for Linux v1r5 STIG
SPLK-CL-000020 - Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) when account events are received (creation, deletion, modification, or disabling).
SPLK-CL-000080 - Splunk Enterprise must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the server.
SPLK-CL-000100 - Splunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.
SPLK-CL-000110 - In a distributed environment, Splunk Enterprise indexers must be configured to ingest log records from its forwarders.
SPLK-CL-000130 - Splunk Enterprise must be configured to retain the DoD-defined attributes of the log records sent by the devices and hosts.
SPLK-CL-000140 - Splunk Enterprise must allow only the individuals appointed by the Information System Security Manager (ISSM) to have full admin rights to the system.
SPLK-CL-000150 - Splunk Enterprise must be configured to offload log records onto a different system or media than the system being audited.
SPLK-CL-000160 - Splunk Enterprise must be configured to send an immediate alert to the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity - at a minimum when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity.
SPLK-CL-000170 - Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.
SPLK-CL-000180 - Splunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.
SPLK-CL-000250 - Splunk Enterprise must be configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited.
SPLK-CL-000260 - Splunk Enterprise must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.
SPLK-CL-000270 - Splunk Enterprise must use TCP for data transmission.
SPLK-CL-000280 - Splunk Enterprise must be configured with a report to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
SPLK-CL-000290 - Analysis, viewing, and indexing functions, services, and applications used as part of Splunk Enterprise must be configured to comply with DoD-trusted path and access requirements.
SPLK-CL-000300 - When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.
SPLK-CL-000320 - Splunk Enterprise must use organization-level authentication to uniquely identify and authenticate users.
SPLK-CL-000330 - Splunk Enterprise must use HTTPS/SSL for access to the user interface.
SPLK-CL-000390 - Splunk Enterprise must be installed in FIPS mode to implement NIST FIPS-approved cryptography for all cryptographic functions.
SPLK-CL-000450 - Splunk Enterprise must only allow the use of DoD-approved certificate authorities for cryptographic functions.
SPLK-CL-000460 - Splunk Enterprise must be configured to protect the confidentiality and integrity of transmitted information.
SPLK-CL-000490 - Splunk Enterprise must accept the DoD CAC or other PKI credential for identity management and personal authentication.